Fix Actions issues

.github/workflows/android.yml

@@ -27,9 +27,10 @@ jobs:
       matrix_architecture: ${{ steps.export-result.outputs.matrix_architecture }}
       matrix_python_version: ${{ steps.export-result.outputs.matrix_python_version }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           submodules: false
+          persist-credentials: false
       - name: Use expanded matrix
         if: github.event.inputs.use_expanded_matrix == '1'
         run: |
@@ -60,7 +61,7 @@ jobs:
         - os: macos-15
           architecture: x64
     steps:
-      - uses: lukka/get-cmake@latest
+      - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest
         with:
           cmakeVersion: "~3.31.0"
       - name: setup Xcode version (macos)
@@ -91,9 +92,10 @@ jobs:
           echo "Enabling expanded build and test matrix."
           echo "USE_EXPANDED_MATRIX=1" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Set env variables for subsequent steps (all)
         shell: bash
@@ -105,18 +107,18 @@ jobs:
           MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
 
       - name: Setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4
         with:
           python-version: ${{ matrix.python_version }}
           architecture: ${{ matrix.architecture }}
 
       - name: Add msbuild to PATH
         if: startsWith(matrix.os, 'windows')
-        uses: microsoft/setup-msbuild@v1.1
+        uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # ratchet:microsoft/setup-msbuild@v1.1
 
       - name: Cache NDK
         id: cache_ndk
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3
         with:
           path: /tmp/android-ndk-r21e
           key: android-ndk-${{ matrix.os }}-r21e
@@ -161,7 +163,7 @@ jobs:
 
       - name: Cache ccache files
         id: cache_ccache
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3
         with:
           path: ccache_dir
           key: dev-test-ccache-${{ env.MATRIX_UNIQUE_NAME }}

.github/workflows/build-report.yml

@@ -26,22 +26,23 @@ jobs:
       if: ${{ matrix.test_set == 'firestore' }}
       run: sleep 300
     - name: Setup python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4
       with:
         python-version: 3.9
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Install Desktop SDK prerequisites
-      uses: nick-invision/retry@v2
+      uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2
       with:
         timeout_minutes: 15
         max_attempts: 3
         command: |
           python3 scripts/gha/install_prereqs_desktop.py --gha_build
           python3 -m pip install requests python-dateutil progress attrs
     - name: Fetch GitHub jobs (with retry)
-      uses: nick-invision/retry@v2
+      uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2
       with:
         timeout_minutes: 20
         max_attempts: 3
@@ -53,7 +54,7 @@ jobs:
           fi
           python3 scripts/gha/report_build_status.py --token ${{ github.token }} --days ${{ env.numDays }} --write_cache build_status_short.cache ${extra_flags}
     - name: Fetch extended GitHub jobs (with retry)
-      uses: nick-invision/retry@v2
+      uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2
       with:
         timeout_minutes: 80
         max_attempts: 3
@@ -103,7 +104,7 @@ jobs:
       run: |
         cat comment.md
     - name: Update GitHub issue (with retry)
-      uses: nick-invision/retry@v2
+      uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2
       with:
         timeout_minutes: 5
         max_attempts: 3

.github/workflows/checks.yml

@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, labeled, unlabeled]
 
-permissions: write-all
+permissions:
+  contents: read
 
 env:
   triggerLabelFull: "tests-requested: full"
@@ -21,11 +22,12 @@ jobs:
   file_format_check:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           submodules: false
+          persist-credentials: false
       - name: Setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4
         with:
           python-version: 3.9
       - name: Install prerequisites
@@ -43,24 +45,31 @@ jobs:
   check_integration_test_labels:
     # This check fails if integration tests are queued, in progress, or failed.
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-    - uses: docker://agilepathway/pull-request-label-checker:latest
+    - uses: docker://index.docker.io/agilepathway/pull-request-label-checker@sha256:14f5f3dfda922496d07d53494e2d2b42885165f90677a1c03d600059b7706a61 # ratchet:docker://agilepathway/pull-request-label-checker:latest
       with:
         none_of: "${{ env.statusLabelInProgress }},${{ env.statusLabelFailed }},${{ env.triggerLabelFull }},${{ env.triggerLabelQuick }}"
         repo_token: ${{ github.token }}
 
   generated_docs_check:
     # This check succeeds if Doxygen documentation generates without errors.
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: lukka/get-cmake@latest
+      - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest
         with:
           cmakeVersion: "~3.31.0"
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           submodules: false
+          persist-credentials: false
       - name: Setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4
         with:
           python-version: 3.9
       - name: Install prerequisites
@@ -95,9 +104,10 @@ jobs:
     # Check for Google copyright in each file.
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           submodules: false
+          persist-credentials: false
       - name: Run check_copyright.sh
         run: |
           set -e
@@ -107,12 +117,13 @@ jobs:
     # Check that the readme was updated, unless the PR has a specific label set (env.skipReleaseNotesLabel).
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         # Skip this if the PR has the skipReleaseNotes label or if it's a merge to other than main.
         if: ${{!contains(github.event.pull_request.labels.*.name, env.skipReleaseNotesLabel) && (github.event.pull_request.base.ref == 'main')}}
         with:
           fetch-depth: 0
           submodules: false
+          persist-credentials: false
       - name: Check whether release notes have been updated
         # Skip this if the PR has the skipReleaseNotes label or if it's a merge to other than main.
         if: ${{!contains(github.event.pull_request.labels.*.name, env.skipReleaseNotesLabel) && (github.event.pull_request.base.ref == 'main')}}

.github/workflows/checks_secure.yml

@@ -2,6 +2,9 @@ name: Checks (secure)
 # These are run on base branch with read/write access.
 
 on:
+  # This trigger is only safe-ish to use if steps are gated behind the
+  # action-has-permission check.
+  # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [synchronize]
 
@@ -19,19 +22,20 @@ jobs:
     steps:
       - name: Check user permission
         id: check
-        uses: scherermichael-oss/action-has-permission@1.0.6
+        uses: scherermichael-oss/action-has-permission@136e061bfe093832d87f090dd768e14e27a740d3 # ratchet:scherermichael-oss/action-has-permission@1.0.6
         # This action sets outputs.has-permission to '1' or ''
         with:
           required-permission: write
         env:
           GITHUB_TOKEN: ${{ github.token }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository
         with:
           submodules: false
+          persist-credentials: false
       - name: Setup python
         if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4
         with:
           python-version: 3.9
       - name: Install prerequisites